The Article 29 Working Party has adopted an opinion (03/2014) on personal data breach notification to assist all data controllers to decide whether to notify individuals of a personal data breach. The opinion considers the existing obligation on providers of electronic communications services under the E-Privacy Directive to notify a personal data breach to affected individuals without undue delay, if the breach is likely to adversely affect their personal data or privacy. The E-Privacy Directive contains an exemption from the notification requirement, if the data controller can demonstrate to the satisfaction of the competent national authority that it has implemented appropriate technological protection measures to render the relevant personal data unintelligible. The opinion is not limited to the electronic communications sector and provides examples in multiple sectors, in the context of the draft Data Protection Regulation (which proposes to extend the notification requirement to all sectors).

The opinion provides a non-exhaustive list of examples where individuals should be notified. In each case, it gives examples of what technical measures the data controller could have implemented prior to the breach (for example, data encrypted with a state of the art algorithm or securely hashed and salted passwords) to exempt it from the requirement to notify individuals. It also gives general guidance on cases not requiring notification and discusses the main issues that controllers may encounter when considering whether or not to notify individuals.

For further information see Practice note, Service providers, security and personal data breach notification: Notifying subscribers or users of a personal data breach and Standard documents, Data security breach notification: letter notifying a personal data breach to affected data subjects (PECR) and Data security breach notification: letter notifying a data breach to affected data subjects (non-PECR).

Source: Opinion 03/2014, adopted 25 March 2014.